edb49ead0fba64c9c35b15c7b42f8fd5856fde4d89a5eeeef529f06c23521f3f

General

Target

544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Size

335KB
MD5

544d2a3215835faca58328ba66bdb14d
SHA1

7041a02c12b5f633a325fce1d3aeab7b56dfe654
SHA256

edb49ead0fba64c9c35b15c7b42f8fd5856fde4d89a5eeeef529f06c23521f3f
SHA512

62accdf6684a54eab333ea61df36ccf7fe98539702d78aff712a63f822163316c2e1ba5b7372065e17681ce5eaf50915c6c47f3f525edb5084dc2a069292087b
SSDEEP

6144:DqhI966AGkAjOpoaY7pGjKa7nuuMdERxSjRSAo2PO4N2Dk:D2q6xGJOpqpaL86ORST4X2w

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\grmynj.sys	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET003\Services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4980	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
5080	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
4980	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0004fe30.inf	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grmynj.dll	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4980	svchost.exe
4980	svchost.exe
4980	svchost.exe

C:\Users\Admin\AppData\Local\Temp\544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MSMedia
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\grmynj.dll

Filesize
69KB

MD5
f8b803cfc8c74af3f26defb91fdef23c

SHA1
31322ff940413cfa6a164d84c041a5b5507927f3

SHA256
d0c454332d6a4bec9f618b9459b83af8c60a1a632d615a8878e09f125095f0cf

SHA512
e087223249a64ac2e369e7419b07238ddeb8a16292cc1dacee9d25eb8aa3085b8bc5d4aca83965b639e0dcbc04af954a01fd10bd69742c45eff1bfba54ed16bd

Download Submit
memory/5080-40-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5080-30-0x00000000032B0000-0x00000000033B0000-memory.dmp

Filesize
1024KB

Download
memory/5080-10-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/5080-24-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/5080-23-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/5080-1-0x0000000000A50000-0x0000000000AAA000-memory.dmp

Filesize
360KB

Download
memory/5080-22-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/5080-21-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/5080-20-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/5080-36-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/5080-35-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/5080-34-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/5080-33-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/5080-32-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/5080-41-0x0000000000A50000-0x0000000000AAA000-memory.dmp

Filesize
360KB

Download
memory/5080-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5080-11-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/5080-19-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/5080-31-0x00000000032B0000-0x00000000033B0000-memory.dmp

Filesize
1024KB

Download
memory/5080-18-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5080-17-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/5080-16-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/5080-15-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/5080-14-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/5080-12-0x0000000003260000-0x0000000003262000-memory.dmp

Filesize
8KB

Download
memory/5080-9-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/5080-8-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/5080-7-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/5080-6-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/5080-3-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/5080-13-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/5080-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/5080-2-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing